[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.171' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.854962][ T8399] ================================================================== [ 69.863292][ T8399] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 69.870288][ T8399] Read of size 8 at addr ffff88802487a968 by task syz-executor995/8399 [ 69.878517][ T8399] [ 69.880840][ T8399] CPU: 0 PID: 8399 Comm: syz-executor995 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.890834][ T8399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.900888][ T8399] Call Trace: [ 69.904183][ T8399] dump_stack+0x107/0x163 [ 69.908545][ T8399] ? find_uprobe+0x12c/0x150 [ 69.913131][ T8399] ? find_uprobe+0x12c/0x150 [ 69.917886][ T8399] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.924920][ T8399] ? find_uprobe+0x12c/0x150 [ 69.929521][ T8399] ? find_uprobe+0x12c/0x150 [ 69.934125][ T8399] kasan_report.cold+0x7c/0xd8 [ 69.938897][ T8399] ? find_uprobe+0x12c/0x150 [ 69.943484][ T8399] find_uprobe+0x12c/0x150 [ 69.947894][ T8399] uprobe_unregister+0x1e/0x70 [ 69.952665][ T8399] __probe_event_disable+0x11e/0x240 [ 69.957960][ T8399] probe_event_disable+0x155/0x1c0 [ 69.963087][ T8399] trace_uprobe_register+0x45a/0x880 [ 69.968376][ T8399] ? trace_uprobe_register+0x3ef/0x880 [ 69.973845][ T8399] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.979495][ T8399] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.985427][ T8399] perf_uprobe_destroy+0xbb/0x130 [ 69.990455][ T8399] ? perf_uprobe_init+0x210/0x210 [ 69.995503][ T8399] _free_event+0x2ee/0x1380 [ 70.000016][ T8399] perf_event_release_kernel+0xa24/0xe00 [ 70.005642][ T8399] ? fsnotify_first_mark+0x1f0/0x1f0 [ 70.010924][ T8399] ? __perf_event_exit_context+0x170/0x170 [ 70.016734][ T8399] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 70.023042][ T8399] perf_release+0x33/0x40 [ 70.027375][ T8399] __fput+0x283/0x920 [ 70.031364][ T8399] ? perf_event_release_kernel+0xe00/0xe00 [ 70.037171][ T8399] task_work_run+0xdd/0x190 [ 70.041687][ T8399] do_exit+0xc5c/0x2ae0 [ 70.045848][ T8399] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.051218][ T8399] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.057461][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.063722][ T8399] do_group_exit+0x125/0x310 [ 70.068315][ T8399] __x64_sys_exit_group+0x3a/0x50 [ 70.073423][ T8399] do_syscall_64+0x2d/0x70 [ 70.077844][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.083741][ T8399] RIP: 0033:0x43daf9 [ 70.087635][ T8399] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 70.094469][ T8399] RSP: 002b:00007ffd06c8a008 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.102889][ T8399] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 70.110878][ T8399] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 70.119737][ T8399] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 70.127780][ T8399] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 70.135759][ T8399] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.143753][ T8399] [ 70.146083][ T8399] Allocated by task 8399: [ 70.150452][ T8399] kasan_save_stack+0x1b/0x40 [ 70.155130][ T8399] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 70.161031][ T8399] __uprobe_register+0x19c/0x850 [ 70.165970][ T8399] probe_event_enable+0x357/0xa00 [ 70.171004][ T8399] trace_uprobe_register+0x443/0x880 [ 70.176284][ T8399] perf_trace_event_init+0x549/0xa20 [ 70.181587][ T8399] perf_uprobe_init+0x16f/0x210 [ 70.186446][ T8399] perf_uprobe_event_init+0xff/0x1c0 [ 70.191732][ T8399] perf_try_init_event+0x12a/0x560 [ 70.196844][ T8399] perf_event_alloc.part.0+0xe3b/0x3960 [ 70.202449][ T8399] __do_sys_perf_event_open+0x647/0x2e60 [ 70.208078][ T8399] do_syscall_64+0x2d/0x70 [ 70.212492][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.218398][ T8399] [ 70.220735][ T8399] Freed by task 8399: [ 70.224728][ T8399] kasan_save_stack+0x1b/0x40 [ 70.229399][ T8399] kasan_set_track+0x1c/0x30 [ 70.233985][ T8399] kasan_set_free_info+0x20/0x30 [ 70.238935][ T8399] ____kasan_slab_free.part.0+0xe1/0x110 [ 70.244580][ T8399] slab_free_freelist_hook+0x82/0x1d0 [ 70.250227][ T8399] kfree+0xe5/0x7b0 [ 70.254123][ T8399] put_uprobe+0x13b/0x190 [ 70.258478][ T8399] uprobe_apply+0xfc/0x130 [ 70.262888][ T8399] trace_uprobe_register+0x5c9/0x880 [ 70.268254][ T8399] perf_trace_event_init+0x17a/0xa20 [ 70.273533][ T8399] perf_uprobe_init+0x16f/0x210 [ 70.278403][ T8399] perf_uprobe_event_init+0xff/0x1c0 [ 70.283943][ T8399] perf_try_init_event+0x12a/0x560 [ 70.289048][ T8399] perf_event_alloc.part.0+0xe3b/0x3960 [ 70.294677][ T8399] __do_sys_perf_event_open+0x647/0x2e60 [ 70.300317][ T8399] do_syscall_64+0x2d/0x70 [ 70.304756][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.310648][ T8399] [ 70.312965][ T8399] The buggy address belongs to the object at ffff88802487a800 [ 70.312965][ T8399] which belongs to the cache kmalloc-512 of size 512 [ 70.327022][ T8399] The buggy address is located 360 bytes inside of [ 70.327022][ T8399] 512-byte region [ffff88802487a800, ffff88802487aa00) [ 70.340303][ T8399] The buggy address belongs to the page: [ 70.345950][ T8399] page:0000000096a70af3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2487a [ 70.356153][ T8399] head:0000000096a70af3 order:1 compound_mapcount:0 [ 70.362848][ T8399] flags: 0xfff00000010200(slab|head) [ 70.368464][ T8399] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 70.377052][ T8399] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 70.385740][ T8399] page dumped because: kasan: bad access detected [ 70.392161][ T8399] [ 70.394485][ T8399] Memory state around the buggy address: [ 70.400114][ T8399] ffff88802487a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.408173][ T8399] ffff88802487a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.416237][ T8399] >ffff88802487a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.424292][ T8399] ^ [ 70.431786][ T8399] ffff88802487a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.439848][ T8399] ffff88802487aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.447918][ T8399] ================================================================== [ 70.455978][ T8399] Disabling lock debugging due to kernel taint [ 70.462280][ T8399] Kernel panic - not syncing: panic_on_warn set ... [ 70.468883][ T8399] CPU: 0 PID: 8399 Comm: syz-executor995 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 70.480275][ T8399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.490364][ T8399] Call Trace: [ 70.493662][ T8399] dump_stack+0x107/0x163 [ 70.498031][ T8399] ? find_uprobe+0x90/0x150 [ 70.502567][ T8399] panic+0x306/0x73d [ 70.506497][ T8399] ? __warn_printk+0xf3/0xf3 [ 70.511112][ T8399] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 70.517325][ T8399] ? trace_hardirqs_on+0x38/0x1c0 [ 70.522373][ T8399] ? trace_hardirqs_on+0x51/0x1c0 [ 70.527415][ T8399] ? find_uprobe+0x12c/0x150 [ 70.532038][ T8399] ? find_uprobe+0x12c/0x150 [ 70.536635][ T8399] end_report.cold+0x5a/0x5a [ 70.541239][ T8399] kasan_report.cold+0x6a/0xd8 [ 70.545989][ T8399] ? find_uprobe+0x12c/0x150 [ 70.550580][ T8399] find_uprobe+0x12c/0x150 [ 70.554985][ T8399] uprobe_unregister+0x1e/0x70 [ 70.559752][ T8399] __probe_event_disable+0x11e/0x240 [ 70.565046][ T8399] probe_event_disable+0x155/0x1c0 [ 70.570149][ T8399] trace_uprobe_register+0x45a/0x880 [ 70.575427][ T8399] ? trace_uprobe_register+0x3ef/0x880 [ 70.581410][ T8399] ? rcu_read_lock_sched_held+0x3a/0x70 [ 70.586951][ T8399] perf_trace_event_unreg.isra.0+0xac/0x250 [ 70.592837][ T8399] perf_uprobe_destroy+0xbb/0x130 [ 70.597867][ T8399] ? perf_uprobe_init+0x210/0x210 [ 70.602883][ T8399] _free_event+0x2ee/0x1380 [ 70.607380][ T8399] perf_event_release_kernel+0xa24/0xe00 [ 70.613018][ T8399] ? fsnotify_first_mark+0x1f0/0x1f0 [ 70.618392][ T8399] ? __perf_event_exit_context+0x170/0x170 [ 70.624193][ T8399] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 70.630428][ T8399] perf_release+0x33/0x40 [ 70.634750][ T8399] __fput+0x283/0x920 [ 70.638723][ T8399] ? perf_event_release_kernel+0xe00/0xe00 [ 70.644539][ T8399] task_work_run+0xdd/0x190 [ 70.649049][ T8399] do_exit+0xc5c/0x2ae0 [ 70.653193][ T8399] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.658556][ T8399] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.664801][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.671039][ T8399] do_group_exit+0x125/0x310 [ 70.675626][ T8399] __x64_sys_exit_group+0x3a/0x50 [ 70.680656][ T8399] do_syscall_64+0x2d/0x70 [ 70.685063][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.690947][ T8399] RIP: 0033:0x43daf9 [ 70.694823][ T8399] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 70.701648][ T8399] RSP: 002b:00007ffd06c8a008 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.710077][ T8399] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 70.718055][ T8399] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 70.726023][ T8399] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 70.733990][ T8399] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 70.741950][ T8399] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.750596][ T8399] Kernel Offset: disabled [ 70.754920][ T8399] Rebooting in 86400 seconds..